Support obfuscated2

mtglib/internal/obfuscated2/client_handshake.go

@@ -0,0 +1,37 @@
+package obfuscated2
+
+import (
+	"crypto/cipher"
+	"crypto/subtle"
+	"encoding/hex"
+	"fmt"
+)
+
+// Connection Type secure. We support only fake tls.
+var clientHandshakeMagic = []byte{0xdd, 0xdd, 0xdd, 0xdd}
+
+func ClientHandshake(secret []byte, handshakeFrame *HandhakeFrame) (int16, cipher.Stream, cipher.Stream, error) {
+	decHasher := acquireSha256Hasher()
+	defer releaseSha256Hasher(decHasher)
+
+	decHasher.Write(handshakeFrame.key()) // nolint: errcheck
+	decHasher.Write(secret)               // nolint: errcheck
+	decryptor := makeAesCtr(decHasher.Sum(nil), handshakeFrame.iv())
+
+	encHasher := acquireSha256Hasher()
+	defer releaseSha256Hasher(encHasher)
+
+	invertedFrame := handshakeFrame.invert()
+	encHasher.Write(invertedFrame.key()) // nolint: errcheck
+	encHasher.Write(secret)               // nolint: errcheck
+	encryptor := makeAesCtr(encHasher.Sum(nil), invertedFrame.iv())
+
+	decryptedFrame := HandhakeFrame{}
+	decryptor.XORKeyStream(decryptedFrame.data[:], handshakeFrame.data[:])
+
+	if magic := decryptedFrame.magic(); subtle.ConstantTimeCompare(clientHandshakeMagic, magic) != 1 {
+		return 0, nil, nil, fmt.Errorf("unsupported connection type: %s", hex.EncodeToString(magic))
+	}
+
+	return decryptedFrame.dc(), encryptor, decryptor, nil
+}

mtglib/internal/obfuscated2/conn.go

@@ -0,0 +1,33 @@
+package obfuscated2
+
+import (
+	"crypto/cipher"
+	"net"
+)
+
+type Conn struct {
+	net.Conn
+
+	Encryptor cipher.Stream
+	Decryptor cipher.Stream
+
+	writeBuf []byte
+}
+
+func (c *Conn) Read(p []byte) (int, error) {
+	n, err := c.Conn.Read(p)
+	if err != nil {
+		return n, err // nolint: wrapcheck
+	}
+
+	c.Decryptor.XORKeyStream(p, p[:n])
+
+	return n, nil
+}
+
+func (c *Conn) Write(p []byte) (int, error) {
+	c.writeBuf = append(c.writeBuf[:0], p...)
+	c.Encryptor.XORKeyStream(c.writeBuf, c.writeBuf)
+
+	return c.Conn.Write(c.writeBuf)
+}

mtglib/internal/obfuscated2/frame.go

@@ -1 +1,79 @@
 package obfuscated2
+
+import (
+	"encoding/binary"
+	"fmt"
+	"io"
+)
+
+const (
+	handshakeFrameLen = 64
+
+	handshakeFrameLenKey   = 32
+	handshakeFrameLenIV    = 16
+	handshakeFrameLenMagic = 4
+	handshakeFrameLenDC    = 2
+
+	handshakeFrameOffsetStart = 8
+	handshakeFrameOffsetKey   = handshakeFrameOffsetStart
+	handshakeFrameOffsetIV    = handshakeFrameOffsetKey + handshakeFrameLenKey
+	handshakeFrameOffsetMagic = handshakeFrameOffsetIV + handshakeFrameLenIV
+	handshakeFrameOffsetDC    = handshakeFrameOffsetMagic + handshakeFrameLenMagic
+	handshakeFrameOffsetEnd   = handshakeFrameOffsetDC + handshakeFrameLenDC
+)
+
+// A structure of obfuscated2 handshake frame is following:
+//
+//    [frameOffsetFirst:frameOffsetKey:frameOffsetIV:frameOffsetMagic:frameOffsetDC:frameOffsetEnd].
+//
+//    - 8 bytes of noise
+//    - 32 bytes of AES Key
+//    - 16 bytes of AES IV
+//    - 4 bytes of 'magic' - this has some settings like a connection type
+//    - 2 bytes of 'DC'. DC is little endian int16
+//    - 2 bytes of noise
+type HandhakeFrame struct {
+	data [handshakeFrameLen]byte
+}
+
+func (f *HandhakeFrame) Fingerprint() []byte {
+	return f.data[handshakeFrameOffsetStart:handshakeFrameOffsetEnd]
+}
+
+func (f *HandhakeFrame) dc() int16 {
+	data := f.data[handshakeFrameOffsetDC:handshakeFrameOffsetEnd]
+
+	return int16(binary.LittleEndian.Uint16(data))
+}
+
+func (f *HandhakeFrame) key() []byte {
+	return f.data[handshakeFrameLenKey:handshakeFrameOffsetIV]
+}
+
+func (f *HandhakeFrame) iv() []byte {
+	return f.data[handshakeFrameOffsetIV:handshakeFrameOffsetMagic]
+}
+
+func (f *HandhakeFrame) magic() []byte {
+	return f.data[handshakeFrameOffsetMagic:handshakeFrameOffsetDC]
+}
+
+func (f *HandhakeFrame) invert() *HandhakeFrame {
+	newFrame := &HandhakeFrame{}
+
+	for i, v := range f.data {
+		newFrame.data[handshakeFrameLen-1-i] = v
+	}
+
+	return newFrame
+}
+
+func ReadHandshakeFrame(reader io.Reader) (*HandhakeFrame, error) {
+	frame := &HandhakeFrame{}
+
+	if _, err := io.ReadFull(reader, frame.data[:]); err != nil {
+		return nil, fmt.Errorf("cannot read frame data: %w", err)
+	}
+
+	return frame, nil
+}

mtglib/internal/obfuscated2/pools.go

@@ -0,0 +1,22 @@
+package obfuscated2
+
+import (
+	"crypto/sha256"
+	"hash"
+	"sync"
+)
+
+var sha256HasherPool = sync.Pool{
+	New: func() interface{} {
+		return sha256.New()
+	},
+}
+
+func acquireSha256Hasher() hash.Hash {
+	return sha256HasherPool.Get().(hash.Hash)
+}
+
+func releaseSha256Hasher(h hash.Hash) {
+	h.Reset()
+	sha256HasherPool.Put(h)
+}

mtglib/internal/obfuscated2/utils.go

@@ -0,0 +1,15 @@
+package obfuscated2
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+)
+
+func makeAesCtr(key, iv []byte) cipher.Stream {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		panic(err)
+	}
+
+	return cipher.NewCTR(block, iv)
+}

mtglib/proxy.go

@@ -8,6 +8,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/9seconds/mtg/v2/mtglib/internal/obfuscated2"
 	"github.com/panjf2000/ants/v2"
 )
 
@@ -17,13 +18,12 @@ type Proxy struct {
 	streamWaitGroup sync.WaitGroup
 	workerPool      *ants.PoolWithFunc
 
-	secret             Secret
-	network            Network
-	timeAttackDetector TimeAttackDetector
-	antiReplayCache    AntiReplayCache
-	ipBlocklist        IPBlocklist
-	eventStream        EventStream
-	logger             Logger
+	secret          Secret
+	network         Network
+	antiReplayCache AntiReplayCache
+	ipBlocklist     IPBlocklist
+	eventStream     EventStream
+	logger          Logger
 }
 
 func (p *Proxy) ServeConn(conn net.Conn) {
@@ -49,6 +49,12 @@ func (p *Proxy) ServeConn(conn net.Conn) {
 		})
 		ctx.logger.Info("Stream has been finished")
 	}()
+
+	if err := p.doObfuscated2Handshake(ctx); err != nil {
+		p.logger.InfoError("obfuscated2 handshake is failed", err)
+
+		return
+	}
 }
 
 func (p *Proxy) Serve(listener net.Listener) error {
@@ -88,6 +94,32 @@ func (p *Proxy) Shutdown() {
 	p.workerPool.Release()
 }
 
+func (p *Proxy) doObfuscated2Handshake(ctx *streamContext) error {
+	handshakeFrame, err := obfuscated2.ReadHandshakeFrame(ctx.clientConn)
+	if err != nil {
+		return fmt.Errorf("cannot read handshake frame: %w", err)
+	}
+
+	dc, encryptor, decryptor, err := obfuscated2.ClientHandshake(p.secret.Key[:], handshakeFrame)
+	if err != nil {
+		return fmt.Errorf("cannot process client handshake: %w", err)
+	}
+
+	if dc < 0 {
+		dc = -dc
+	}
+
+	ctx.dc = int(dc)
+	ctx.logger = ctx.logger.BindInt("dc", ctx.dc)
+	ctx.clientConn = &obfuscated2.Conn{
+		Conn:      ctx.clientConn,
+		Encryptor: encryptor,
+		Decryptor: decryptor,
+	}
+
+	return nil
+}
+
 func NewProxy(opts ProxyOpts) (*Proxy, error) {
 	switch {
 	case opts.Network == nil:

mtglib/stream_context.go

@@ -13,6 +13,7 @@ type streamContext struct {
 	ctxCancel  context.CancelFunc
 	clientConn net.Conn
 	connID     string
+	dc         int
 	logger     Logger
 }